Vendor Management: SSAE 18. Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Similar documents
SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Putting the Pieces Together:

Transitioning from SAS 70 to SSAE 16

Quali&es of an Effec&ve CISO

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Cyber Security Capabilities

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Adopting SSAE 18 for SOC 1 reports

Exploring Emerging Cyber Attest Requirements

Business Case Components

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

New PCI DSS Version 3.0: Can it Reduce Breaches? Dharshan Shanthamurthy, CEO, SISA Informa2on Security Inc. Core Competencies C11

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Understanding and Evaluating Service Organization Controls (SOC) Reports

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Strengthening Cybersecurity Workforce Development December 2017

Management Accoun-ng/ Corporate Finance Employers at BYU

ISACA Cincinnati Chapter March Meeting

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

CSF to Support SOC 2 Repor(ng

SOC Reporting / SSAE 18 Update July, 2017

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Making trust evident Reporting on controls at Service Organizations

The SOC 2 Compliance Handbook:

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Introduction to Securing Critical Infrastructure

IT Attestation in the Cloud Era

Credit Union Service Organization Compliance

SOC Lessons Learned and Reporting Changes

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Studio Guggino and Newtonpartner S.r.l. a team of professionals at the service of your Company

ADVANCED AUDIT AND ASSURANCE

Assessing Medical Device. Cyber Risks in a Healthcare. Environment

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Iden%fying & Audi%ng Low Impact BES Assets: A Mock Audit BC Outreach Webinar: Session 2 Salt Lake City UT January 9, 2018

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

CAREER PATH FOR THE NEXT GENERATION RECORDS MANAGER

GDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.

Cybersecurity Curricular Guidelines

HITRUST CSF: One Framework

Vendor Security Questionnaire

VENDOR CONTRACTING : CYBERSECURITY CHECKLIST

Con$nuous Audi$ng and Risk Management in Cloud Compu$ng

Handling Complex and Difficult Privacy and Information Security Issues

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

SOC for cybersecurity

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

April 17, Ronald Layne Manager, Data Quality and Data Governance

Large-scale Testbed and Cyber Range Organiza6on and Design

CLOUD SERVICES. Cloud Value Assessment.

Could your Building Catch a Virus?

Audit Considerations Relating to an Entity Using a Service Organization

Low Impact BES Assets: Best Prac4ces BC Outreach Webinar: Session 3 Salt Lake City UT January 9, 2018

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

How Credit Unions Are Taking Advantage of the Cloud

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Effective Strategies for Managing Cybersecurity Risks

Next Generation Policy & Compliance

Helping you understand the impact of GDPR.

HCL GRC IT AUDIT & ASSURANCE SERVICES

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Addressing Cybersecurity Risk

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Google Cloud & the General Data Protection Regulation (GDPR)

DeMystifying Data Breaches and Information Security Compliance

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Special Publication

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

Model- Based Security Tes3ng with Test Pa9erns

Evaluating SOC Reports and NEW Reporting Requirements

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

Cisco Exam Dumps PDF for Guaranteed Success

The Ins(tute of Financial Opera(ons Cer(fica(on Programs

Seize the Future. Date: June 28, Georgia Society of CPA s- Annual Convention. Paul V. Stahlin, CPA Chairman, AICPA

Interpreting the FFIEC Cybersecurity Assessment Tool

COURSE BROCHURE CISA TRAINING

Background of the North America Top Technology Initiatives Survey

Improving the cyber security posture of New Zealand Barry Brailey NZITF Chair

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Run the business. Not the risks.

World Bank s Approach to Facilitate Implementa7on of Energy Management Systems

ISO & ISO & ISO Cloud Documentation Toolkit

Top Business/Technology Issues Survey 2011

Business Assurance for the 21st Century

SANS and GIAC Certifications in alignment with the NICE Cyber Security Workforce Framework

BHConsulting. Your trusted cybersecurity partner

INFORMATION SYSTEMS AUDITOR EXAM PREPARATION COURSE NICOSIA LIVE ON-LINE. 1 P a g e

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Cyber Risks in the Boardroom Conference

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

The value of visibility. Cybersecurity risk management examination

Vulnerability Risk management for everyone. ENOG12

Transcription:

Vendor Management: SSAE 18 Presented by Joseph Kirkpatrick CISSP, CISA, CGEIT, CRISC, QSA Managing Partner

Audio Handouts Questions

Welcome Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA cer?fica?ons, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by naviga?ng them through the complex maze of compliance and regulatory requirements. 3

4

Overview Moving to SSAE 18 How Service Organiza?ons affect Financial Ins?tu?ons Internal Controls over Financial Repor?ng Using the SSAE 18 for Vendor Management 5

SSAE 18 became effec?ve May 1, 2018 Why the change? Convergence with interna?onal standards Simplifica?on 6

Convergence The Audi?ng Standards Board (ASB) seeks to converge its standards with those of the Interna?onal Audi?ng and Assurance Standards Board (IAASB) The corresponding Interna?onal Statement on A`esta?on Engagements (ISAE) is the ISAE 3000 7

Simplifica?on The a`esta?on (AT) sec?on of the AICPA Professional Standards contains standards for Cer?fied Public Accountants (CPA) to affirm an asser?on to be true, using objec?vity and skep?cism These AT sec?ons are issued in the form of Statements on Standards for A`esta?on Engagements (SSAE) 8

Simplifica?on The following AT sec?ons are being codified into one SSAE AT sec. 20 AT sec. 50 AT sec. 101 (SOC 2) AT sec. 201 AT sec. 301 AT sec. 401 AT sec. 601 AT sec. 701 AT sec. 801 (SOC 1/SSAE 16) 9

SSAE No. 18 AT-C sec. 105 (SOC 1 and SOC 2) Concepts Common to All A`esta?on Engagements AT-C sec. 205 (SOC 1 and SOC 2) Examina?on Engagements AT-C sec. 210 Review Engagements AT-C sec. 215 Agreed-Upon Procedures Engagement AT-C sec. 305 Prospec?ve Financial Informa?on AT-C sec. 310 Repor?ng on Pro Forma Financial Informa?on AT-C sec. 315 Compliance A`esta?on AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng AT-C sec. 395 Management s Discussion and Analysis 10

SSAE No. 18 AT-C sec. 205 (SOC 1, SOC 2, CSA) Examina?on Engagements AT-C sec. 320 (SOC 1) Repor?ng on an Examina?on of Controls at a Service Organiza?on Relevant to User En??es Internal Control Over Financial Repor?ng 11

How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 12

How do Service Organiza?ons affect Financial Ins?tu?ons? What is the Financial Ins?tu?on s responsibility? Assess Risk Determine Risk Implement Risk Management 13

How do Service Organiza?ons affect Financial Ins?tu?ons? FFIEC Examina?on Handbook Review audit and consultant reports, management's responses, and problem tracking systems to iden?fy poten?al issues for examina?on follow-up. Possible sources include Internal and external audit reports and A`esta?on Report (e.g. SSAE-16) and other reviews for service providers Security reviews/evalua?ons from internal risk review or external consultants (includes vulnerability and penetra?on tes?ng) Findings from GLBA security and control tests and annual GLBA reports to the board. 14

How do Service Organiza?ons affect Financial Ins?tu?ons? ICFR enhances the reliability of financial statements by reducing the risk of material errors or misstatements. Financial repor?ng controls are designed to provide reasonable assurance that the ins?tu?on s financial statements are reliable and prepared in accordance with generally accepted accoun?ng principles. Confiden?ality Integrity Availability 15

How do Service Organiza?ons affect Financial Ins?tu?ons? Data Processor Deposit/Loan Plajorm Data Center Payroll Provider Annual Report Print Provider Document Management Services Cloud Backup Provider 16

SSAE No. 18 AT-C Sec. 320 Beginning with reports issued as of May 1, 2017 17

Service Organiza?on Control (SOC) Reports SOC 1 Type I, as of a date Type II, through an audit period SOC 2 Type I, as of a date Type II, through an audit period 18

Evalua?ng Service Organiza?on Controls How reasonable are the controls and the corresponding tests? 19

Control Objec?ves 20

Commonly Omi`ed Controls Be on the lookout for: Applica?on Development Configura?on Management Encryp?on Methodologies Log Management Vendor Management 21

New for the SSAE 18 AT-C Sec 320 Monitoring the Effec?veness of Controls at Subservice Organiza?ons 22

Subservice Organiza?ons Includes some combina?on of ongoing monitoring to determine that poten?al issues are iden?fied?mely and separate evalua0ons to determine that the effec?veness of internal control is maintained over?me. 23

Ongoing Monitoring Reviewing and reconciling output reports Holding periodic discussions with the subservice organiza?on Making regular site visits to the subservice organiza?on 24

Ongoing Monitoring Tes?ng controls at the subservice organiza?on by members of the service organiza?on s internal audit func?on Reviewing Type I or Type II reports on the subservice organiza?on s system Monitoring external communica?ons, such as customer complaints relevant to the services by the subservice organiza?on 25

Using the SSAE 18 for Monitoring Vendors Developing a fiduciary mindset with your vendors Annual Reviews Ongoing Performance Reports Site Visits 26

Using the SSAE 18 for Monitoring Vendors Implement processes for monitoring cri?cal controls Vulnerability Releases Incident Reports Technology Changes 27

Vendor Compliance Management Use the Online Audit Manager to ask ques?ons of your vendors Hire our specialized resources to perform site visits with your cri?cal vendors Access our webinar recordings for several topics dealing with vendor compliance management 28

OnlineAuditManager.co m 29

Ques?ons? For further informa?on, contact: Joseph Kirkpatrick joseph@kirkpatrickprice.com 30

31

32

Joseph Kirkpatrick joseph@kirkpatrickprice.com www.cbancnetwork.com/education

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback